/hmr

The word lists used in this phase are from Daniel Miessler's seclist: https://jarrettgxz-sec.gitbook.io/offensive-security-concepts/tools-services/wordlists.

The word list path shown in the examples below will be displayed as a redacted relative directory.

Manual inspection of source code

From a manual inspection of the source code within burp suite, I found a comment:

It appears that the directories in this application uses the hmr_ prefix.

Directory discovery

I proceeded to perform a directory fuzzing with the hmr_ prefix:

$ ffuf -u http://<target.com>:1337/hmr_FUZZ -w .../Discovery/Web-Content/common.txt -mc 200,301,302

I visited the /hmr_css, /hmr_images and /hmr_js directories, and was presented with an index listing, but found nothing of interest.

However, the /hmr_logs displayed an error.logs file.

From the error.logs file, I found the email address: tester@hammer.thm. Very well, now lets use this email address on the reset password page.

Refer to the Brute forcing 4-digit code section for the new step.

Last updated